Ascend-Data-Filter replies sent, but something amiss

Justin M. Parker justin at pneumatek.net
Fri Sep 9 20:15:40 CEST 2005 

Greetings.

I've got freeradius (radiusd: FreeRADIUS Version 1.0.2, for host ,
built on Sep  7 2005 at 14:10:37) running, and authenticating well. My
user names, passwords, and nas's are stored in a MySQL database. I
have a user of name, say, "justin" belonging to group "dialin". The
radgroupreply table has four rows of data like this:

id GroupName Attribute op Value prio
1 dialin Ascend-Data-Filter += ip in forward est 0
2 dialin Ascend-Data-Filter += ip in forward dst ip x.x.x.x/32 0
3 dialin Ascend-Data-Filter += ip in drop tcp dstport = 25 0
4 dialin Ascend-Data-Filter += ip in forward 0

Here's what wvdial does with the Ascend-Data-Filters in place:

--> WvDial: Internet dialer version 1.54.0
--> Initializing modem.
--> Sending: ATZ
ATZ
OK
--> Sending: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 W2
ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 W2
OK
--> Modem initialized.
--> Sending: ATDT<number>
--> Waiting for carrier.
ATDT<number>
CONNECT 50666
--> Carrier detected.  Waiting for prompt.
<login prompt>
--> Looks like a login prompt.
--> Sending: <login at realm>
Password:
--> Looks like a password prompt.
--> Sending: (password)
Remote Authentication server timeout.
<login prompt>
--> Looks like a login prompt.
--> Sending: <login at realm>
Password:
--> Looks like a password prompt.
--> Sending: (password)
** Bad Password
<login prompt>
--> Looks like a login prompt.
--> Sending: <login at realm>
--> Don't know what to do!  Starting pppd and hoping for the best.
--> Starting pppd at Fri Sep  9 12:45:58 2005
--> pid of pppd: 11381
--> Using interface ppp0
--> Disconnecting at Fri Sep  9 12:46:02 2005
--> The PPP daemon has died: Authentication error.
--> We failed to authenticate ourselves to the peer.
--> Maybe bad account or password? (exit code = 19)
--> man pppd explains pppd error codes in more detail.
--> I guess that's it for now, exiting
--> The PPP daemon has died. (exit code = 19)

There's an awful lot of output from radius -X running while I attempt
to auth, but here's something that sticks out:

rlm_sql (sql): Released sql socket id: 5
  modcall[post-auth]: module "sql" returns ok for request 1
modcall: group post-auth returns ok for request 1
Sending Access-Accept of id 67 to <ip:port>
        Ascend-Data-Filter += 0x697020696e20666f72776172642074637020657374
        Ascend-Data-Filter +=
0x697020696e20666f7277617264206473746970203230382e31322e3136352e302f3234
        Ascend-Data-Filter +=
0x697020696e2064726f702074637020647374706f7274203d203235
        Ascend-Data-Filter += 0x697020696e20666f7277617264
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 67 with timestamp 4321cf66
Nothing to do.  Sleeping until we see a request.

As far as radiusd knows, I logged in. Removing my user from that
dialin group (and thus not sending the group's replies) allows me to
login as usual. Any ideas? Do those filter replies look right? they
almost look like hex to me, not binary. I've tried
X-Ascend-Data-Filter and Ascend-Data-Filter. Changing the op to :=
sends only the first of the four replies. In the attrs file, I've
added the below line to my DEFAULT set:

Ascend-Data-Filter =* ANY

Any replies appreciated.

-justin

More information about the Freeradius-Users mailing list